automatic verification of sla for firewall configuration in grid environments
DESCRIPTION
Automatic verification of SLA for Firewall Configuration in Grid Environments. Gian Luca Volpato Christian Grimm Martin Janitschke. Gian Luca Volpato – Cracow Grid Workshop 08 – 15 October 2008. Motivation. Facilitate the integration of new resources into a Grid: - PowerPoint PPT PresentationTRANSCRIPT
Automatic verification of SLA for Firewall Configuration in Grid Environments
Gian Luca Volpato – Cracow Grid Workshop 08 – 15 October 2008
Gian Luca VolpatoChristian GrimmMartin Janitschke
Page 2Gian Luca Volpato - Cracow Grid Workshop '08 - 15 October 2008
Motivation
Facilitate the integration of new resources into a Grid:
1. Definition of security profiles
2. Certification of firewall setup
3. Monitoring firewall configuration as part of the Service Level Agreements
Page 3
Summary
1. Firewall configuration issues
2. Classification of middleware components
3. Definition of security profiles
4. SLA extension
5. Tool for automatic verification of firewall configuration
6. Q&A
Gian Luca Volpato - Cracow Grid Workshop '08 - 15 October 2008
Page 4
Integration of new partners
Installation of Grid middleware(s) Creation of local user accounts Registration to the information services … ... Configuration of firewall rules
If too restrictive prevent legitimate communications If too loose allow unauthorized communications
Gian Luca Volpato - Cracow Grid Workshop '08 - 15 October 2008
Page 5
Classification of middleware components
Four categories of middleware components:
1. Computing frontends
2. Data frontends
3. Interactive nodes
4. Worker nodes
Gian Luca Volpato - Cracow Grid Workshop '08 - 15 October 2008
Globus GRAM
UNICORE NJS
LCG/gLite CE
OGSA-DAI
dCache SE
Interactive node
Batch system
Worker Node
Worker Node
Worker Node
Worker Node
Worker Node
Worker Node
Worker Node
Page 6
Communication paths
Identification of network ports used by each component for incoming connections
Gian Luca Volpato - Cracow Grid Workshop '08 - 15 October 2008
GT 4.0 GRAM
28118443
20000-25000
dCache SE
213528118443
20000-25000
OGSA-DAI
8443
Page 7
Security profiles
Minimize the number of connections traversing firewalls
Range from basic services to complete set of functionality
Gian Luca Volpato - Cracow Grid Workshop '08 - 15 October 2008
Level Computing Data Worker node
Interactive node
1 - -
2 -
3 -
4
Page 8
SLA extension
Each site declares which security profile will be implemented
Provide guarantee that communications to/from certain Grid services is allowed, i.e. firewall is correctly configured
Verification: before accepting a site in production periodically for all the duration of the collaboration
Gian Luca Volpato - Cracow Grid Workshop '08 - 15 October 2008
Page 9
Verification of firewall configuration
Central service performing periodic verifications: requested ports are accessible all other ports are blocked
In a further evolution allow peer-to-peer verification of selected sites triggered on-demand
Gian Luca Volpato - Cracow Grid Workshop '08 - 15 October 2008
Page 10Gian Luca Volpato - Cracow Grid Workshop '08 - 15 October 2008
Page 11
Summary
1. Firewall configuration issues
2. Classification of middleware components
3. Definition of security profiles
4. SLA extension
5. Tool for automatic verification of firewall configuration
Q&A
Gian Luca Volpato - Cracow Grid Workshop '08 - 15 October 2008